0

I'm trying to build a service that can take a distro, package, and a version number, and use that information to check if there's an active CVE out for that tuple.

after some searching, I've found that changelogs reliably cite CVEs, so I was thinking about parsing changelogs for CVE ids and reporting based on that. unfortunately, we run a very heterogenous architecture, with CentOS, Ubuntu, and Debian boxes running our software.

I know that each box can fetch changelogs for itself, but this isn't feasible because of how we set up monitoring (I know I know, but trust me on this one). I have a data dump of the package info for all of these machines sitting on a server, and the data is regularly updated as these boxes phone home.

is there a way to have a single machine that can fetch changelogs for every distro? or do I need an Ubuntu machine to fetch the Ubuntu changelogs, a CentOS one to call yum changelog, etc.?

thanks!

user358829
  • 103
  • 2

1 Answers1

1

Since you explicitly asked about CVEs already, what you more likely want to do is not parse change logs manually, but rather use existing tool sets for examining which CVEs are fixed in which releases of the distros.

Each distribution has some system in place to track security issues in a central place.

For Ubuntu, this is called ubuntu-cve-tracker. A good example of what you can do with it is the ubuntu cve tracking website. There is a repository of the entire tracker state that you can examine using bazaar:

$ bzr branch lp:ubuntu-cve-tracker
$ grep xenial_ ubuntu-cve-tracker/active/CVE-2017-9936
xenial_tiff: needed
xenial_tiff3: DNE

Consider investigating the /scripts directory and see for yourself in what way you can reuse code from there.

Bold warning: Do not simply automate accessing launchpad or Ubuntu change log mirrors other than in the way Ubuntu folks intended. Ubuntu mirrors and Launchpad work because people dedicate massive amounts of free resources and you are expected to either use already documented ways of accessing data or file a bug asking nicely.

anx
  • 8,963
  • 5
  • 24
  • 48